Hey all, i got a little question is macro able to compare 2 strings? (i think yes)
Been searching and the most close i get its INSTR macro.
Also i check hutch $case implementation and i got a curiosity in this:
;; --------------------------------
;; Start a new .IF block and update the state global.
.IF FUNC(szCmp, $test_val$, chr$(quoted_text)) != 0
FUNC(szCmp) means that will be done by preprocessor?
I want to make this:
_Invoke <GetModuleHandle>
Making _Invoke macros search for GetModuleHandle string into a buffer and returns me the address (of the string) so i can do other calculations, is this possible in preprocessor?
Thanks.
Macros are expand while assembling the code. They help you to create code, but they did not exist at runtime. If you want to compare a string at runtime, use the szcmp function from the masmlib or write your own peach of code.
Quote from: qWord on June 17, 2010, 09:53:59 PM
Macros are expand while assembling the code. They help you to create code, but they did not exist at runtime. If you want to compare a string at runtime, use the szcmp function from the masmlib or write your own peach of code.
Yes, but isnt possible then to compare 2 strings by macros?
yes, using IFIDN
e.g.:
; returns 1, if strings are equal
cmplit macro lit1,lit2
IFIDN <lit1>,<lit2> ; strings are equal ?
EXITM <1>
ELSE
EXITM <0>
ENDIF
endm
Quote from: qWord on June 17, 2010, 10:03:43 PM
yes, using IFIDN
e.g.:
; returns 1, if strings are equal
cmplit macro lit1,lit2
IFIDN <lit1>,<lit2> ; strings are equal ?
EXITM <1>
ELSE
EXITM <0>
ENDIF
endm
I tryed this but i use 1 literal string that want to compare agaisnt an already defined string in .Data section example:
.Data
Test DB "Hello", 0
_Invoke <Hello>I dont want to use any runtime for make the cmp, is possible?
PS: The original idea involves a list of define strings:
.Data
Test DB "Hello", 0, 0
DB "Hello2", 0
_Invoke <Hello>All stings aligned just in case. Also if the string is found i need to know the address of where it was found so i can do some other calculations.
you cant read data that has once written to the data section (using db, dw, dd ...). Could you more detailed descripe what are you tyring to do?
Quote from: qWord on June 17, 2010, 10:12:30 PM
you cant read data that has once written to the data section (using db, dw, dd ...). Could your more detailed descripe what are you tyring to do?
I got several procedures that are mapped in memory from a file (relocs fixed) i name those procedures by an algorithm and set them into a struct.
MappedProcs Struct
pProcAddr:Dword
pProcSize:Dword ;JUST FOR INFO
MappedProcs EndS
.Data?
pMappedProcs DB 3*SizeOf MappedProcs Dup(?)
.Data
ProcList DB "Test1", 0, 1
DB "Test2", 0, 2
DB "Test3", 0, 3
.Code
_Invoke <Test1>, 1, 5, 7So in the macros i should compare literal Test1 with one of the ProcList and if founded then return me the address so i can read the next byte after the end of string and make:
_Invoke Macro String:REQ, ARGS:VARARG
LOCAL X, Y
;COMPARE STRING WITH PROCLIST
;RETURN FOUNDED STRING ADDRESS ON X LOCAL
X = X+1
Y = [X]*SizeOf MappedProcs + Offset pMappedProcs
InvokeThis Y, ARGS
EndMI got a macros for emulate the invoke (InvokeThis). But the problem is i want to calculate the address of my procedure mapped without using runtime. I thought by comparing strings + indexed byte of struct i could do it.
Problem is i dont know how compare 1 literal agaisnt memory with macros.
PS: I use the string list since i want to threat them the most "flexible possible" i dont want to use the index order of each procedure for invoke like this:
mov eax, Index
imul eax, eax, SizeOf MappedProcs
add eax, pMappedProcs
InvokeThis [eax], 1, 2, 3
yes, it may be possible, but is there an special reason not using a normal DLL or lib?
Quote from: qWord on June 17, 2010, 10:44:28 PM
yes, it may be possible, but is there an special reason not using a normal DLL?
I got a security company and i am researching this idea i have in my mind.
So i want to develop this idea in the most "flexible way" in source code and spend has less runtime possible.
But my interest over macros was never the best, now i can see i was wrong :(
But the idea is possible isnt? i just need the literal cmp agaisnt memory and get the addr of founded string in list.
PS: About the file is not a DLL or a lib, its kind of a mix of things, so we do kind of a "Just in time compilator" and map the procedures in our soft
Quote from: theunknownguy on June 17, 2010, 10:50:23 PMi just need the literal cmp agaisnt memory and get the addr of founded string in list.
well as said, memory access isn't possible.
However, if you declare the ProcList as text macros and constants, it is possible to find the right function.
This only assumes, that the load order of your procs are the same as the order of declaring the proc list.
Give some minutes to show what I've meant.
Quote from: qWord on June 17, 2010, 10:57:05 PM
Quote from: theunknownguy on June 17, 2010, 10:50:23 PMi just need the literal cmp agaisnt memory and get the addr of founded string in list.
well as said, memory access isn't possible.
However, if you declare the ProcList as text macros and constants, it is possible to find the right function.
This only assumes, that the load order of your procs are the same as the order of declaring the proc list.
Give some minutes to show what I've meant.
Thanks so much, has i say i am NULL macros knowledge
This only assumes, that the load order of your procs are the same as the order of declaring the proc list.You read my mind, at first we try to make a sort of "random load" for procedure mapped order, but finally found that is no possible to use any approach for "flexible" code witht his idea...
just one short question: why not simply declaring function pointer, which can be used with invoke?
Quote from: qWord on June 17, 2010, 11:04:20 PM
just one short question: why not simply declaring function pointer, which can be used with invoke?
We use virtual memory alloc for map the procs, so we will have to set them into a pointer list and call them in a non flexible way.
(We threat this procs has APIs and we use them many time)
So remembering the pointer list order without a name its not so much fun or practical to do.
At least with string like <MyTestProc> we can remember them, the order and do much practical. (If its fully without runtime)
you can declare function pointers with names:
.data
;pr0 is defined in windows.inc as an stdcall function with zero parameters.
; typedef function pointer
PFNC0 typedef ptr pr0
...
;decleare the function pointers
MyFunction1 PFNC0 ?
MyFunction2 PFNC0 ?
...
invoke MyFunction1
Quote from: qWord on June 17, 2010, 11:19:04 PM
you can declare function pointers with names:
.data
;pr0 is defined in windows.inc as an stdcall function with zero parameters.
; typedef function pointer
PFNC0 typedef ptr pr0
...
;decleare the function pointers
MyFunction1 PFNC0 ?
MyFunction2 PFNC0 ?
...
Would have to set the VirtualAlloc addr returned of maped space inside of those pointers and do some kind of:
mov eax, MyFuction1
call [eax]
Or
InvokeThis MyFuction1 (and make the macros do inside the trick)Also each pointer holder is not dinamical, meaning if they know the address will go direct to it (attackers).
If we allocate the struct for hold the pointers that are already done by VirtualAlloc then each time soft is opened they will change (at least in theory)
Seems like a pain in the ass to do, but its the price of the idea.
ok, i did not full understand your concept, but these macros may help you:
declare_proc macro name:req
IFNDEF dclp_cntr
dclp_cntr = 0
ENDIF
@CatStr(<dclp_proc_>,%dclp_cntr) TEXTEQU <&name>
dclp_cntr = dclp_cntr + 1
endm
; returns zero-based index or -1 if proc not found
get_proc_index macro name:req
IFNDEF dclp_cntr
.err <xyz>
EXITM <-1>
ENDIF
gpi_cntr = 0
gpi_flag = 0
REPEAT dclp_cntr
% IFIDN <@CatStr(<dclp_proc_>,%gpi_cntr)>,<&name>
gpi_flag = 1
EXITM
ENDIF
gpi_cntr = gpi_cntr + 1
ENDM
IF gpi_flag
EXITM %gpi_cntr
ELSE
.err <function not found>
EXITM <-1>
ENDIF
endm
declare_proc Test1
declare_proc abc
declare_proc def
%echo get_proc_index(def)
Quote from: qWord on June 17, 2010, 11:28:39 PM
ok, i did not full understand your concept, but these macros may help you:
declare_proc macro name:req
IFNDEF dclp_cntr
dclp_cntr = 0
ENDIF
@CatStr(<dclp_proc_>,%dclp_cntr) TEXTEQU <&name>
dclp_cntr = dclp_cntr + 1
endm
; returns zero-based index or -1 if proc not found
get_proc_index macro name:req
IFNDEF dclp_cntr
.err <xyz>
EXITM <-1>
ENDIF
gpi_cntr = 0
gpi_flag = 0
REPEAT dclp_cntr
% IFIDN <@CatStr(<dclp_proc_>,%gpi_cntr)>,<&name>
gpi_flag = 1
EXITM
ENDIF
gpi_cntr = gpi_cntr + 1
ENDM
IF gpi_flag
EXITM %gpi_cntr
ELSE
.err <function not found>
EXITM <-1>
ENDIF
endm
declare_proc Test1
declare_proc abc
declare_proc def
%echo get_proc_index(def)
You rulz thanks so much going to test it right now :cheekygreen:
PS: It takes the index in base of the order of setting isnt?
Quote from: theunknownguy on June 17, 2010, 11:32:39 PM
PS: It takes the index in base of the order of setting isnt?
yes, in the order of declaration.
Can i request this thread to be deleted or leave my first post only + final answer of qword please.
Thanks much for the help.
Using macro for string compare can make your app size bigger but faster, using proc can make it slower but less byte added each time you compare the string.
theunknownguy,
> Can i request this thread to be deleted or leave my first post only + final answer of qword please.
No as a matter of fact, this forum is among other things a database for other members to read and use and the development of a thread from its first post to any answers it may receive is preserved for other members to read.
You should not treat this forum like a paid help desk, you could not afford the costs involveed if it was.
Quote from: hutch-- on June 18, 2010, 03:29:33 PM
theunknownguy,
> Can i request this thread to be deleted or leave my first post only + final answer of qword please.
No as a matter of fact, this forum is among other things a database for other members to read and use and the development of a thread from its first post to any answers it may receive is preserved for other members to read.
You should not treat this forum like a paid help desk, you could not afford the costs involveed if it was.
I think you get it wrong, but no worry the stupid nickname i use nobody will track to this forum at least...
But has i say there are post here that doesnt involve the problem, where just aditional info for qWord. Does anyone need to read that? (nothing releated to the problem)
I tought post where preserved for other members to read when the question / answer have vital information for solve the problem...
But still was just a request. And i dont treat the forum has a paid help desk, but yeah i could afford the costs, money is not a problem if that what you mean.
PS: At least on my world everything have a price.